Citing potential risks to patient health and safety due to cybersecurity vulnerabilities in medical devices, the Food and Drug Administration (FDA), Center for Devices and Radiological Health (CDRH) has proposed industry guidance calling for medical device vendors to monitor, report and mitigate cybersecurity vulnerabilities and exploits as part of a manufacturer’s post-market management program. The FDA action would apply only to networkable and implantable medical devices that require FDA approval. Many health care technologies, software and consumer oriented applications are not classified as medical devices by the FDA and would not be subject to the proposed surveillance, reporting or mitigation management program.
While the FDA’s medical device cybersecurity proposed guidance would put the onus on manufacturers and vendors to develop monitoring and mitigation programs, healthcare organizations are the primary end users of most networked medical devices. The proposed medical device cybersecurity guidance was the centerpiece of a two day workshop held earlier this week at the agency’s White Oak Campus, bringing together stakeholders representing government, health care organizations, and medical device manufacturers to discuss a work plan to improve surveillance, identification of threats, and response to vulnerabilities impacting networked and implantable medical devices.
Specifically, the FDA’s proposed medical device cybersecurity guidance for medical device manufacturers calls for the industry to proactively plan for and to assess cybersecurity vulnerabilities. The draft guidance recommends that manufacturers should implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities. Critical components of such a program would include medical device manufacturers developing management approaches to:
- Apply the NIST Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of “Identify, Protect, Detect, Respond and Recover;”
- Monitor cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understand, assess and detect presence and impact of a vulnerability;
- Establish and communicate processes for vulnerability intake and handling;
- Clearly define essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
- Adopt a coordinated vulnerability disclosure policy and practice; and
- Deploy mitigations that address cybersecurity risk early and prior to exploitation.
For the majority of cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “cybersecurity routine updates or patches,” for which the FDA does not require advance notification, additional premarket review or reporting under its regulations. Manufacturers would notify medical device owners and end users of the discovery a cybersecurity vulnerability or exploit and provide the software patch or update to address the risk.
For a small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the agency. The FDA would coordinate with the manufacturer notification to device owners and consumers or recall of the medical device from the marketplace.